ambari-issues mailing list archives

[jira] [Commented] (AMBARI-18635) Authorizations given to roles, should use generic role-based principals rather than hard-coded pseudo-role-based principals

Date

Thu, 20 Oct 2016 15:53:58 GMT

[ https://issues.apache.org/jira/browse/AMBARI-18635?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15592189#comment-15592189
]
Hadoop QA commented on AMBARI-18635:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12834396/AMBARI-18635_trunk_01.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:green}+1 tests included{color}. The patch appears to include 10 new or modified
test files.
{color:green}+1 javac{color}. The applied patch does not increase the total number of
javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number
of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in ambari-admin ambari-server:
org.apache.ambari.server.api.services.AmbariMetaInfoTest
org.apache.ambari.server.api.services.KerberosServiceMetaInfoTest
org.apache.ambari.server.state.kerberos.KerberosDescriptorUpdateHelperTest
org.apache.ambari.server.state.stack.ConfigUpgradeValidityTest
org.apache.ambari.server.stack.StackManagerTest
Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/8939//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/8939//console
This message is automatically generated.
> Authorizations given to roles, should use generic role-based principals rather than hard-coded
pseudo-role-based principals
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-18635
> URL: https://issues.apache.org/jira/browse/AMBARI-18635
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.4.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Fix For: 2.4.2
>
> Attachments: AMBARI-18635_branch-2.4_01.patch, AMBARI-18635_branch-2.5_01.patch,
AMBARI-18635_trunk_01.patch
>
>
> Authorizations given to roles, should use generic role-based principals rather than hard-coded
resource types.
> Access to views can be assigned to all users with a given role. The implementation for
this lead to the creation of hard-coded principals that represent the current set of roles.
This is not dynamic enough for possibly future enhancements where new roles may be created
by administrators.
> This needs to be changed such that rather that using the hard-coded pseudo-role-principals,
the dynamically generated role-principals are to be used.
> The hard-coded pseudo-role-principals have the following {{adminprincipaltype}} values
as opposed to "ROLE":
> * ALL.CLUSTER.ADMINISTRATOR
> * ALL.CLUSTER.OPERATOR
> * ALL.SERVICE.ADMINISTRATOR
> * ALL.SERVICE.OPERATOR
> * ALL.CLUSTER.USER
> These should be removed along with the associated {{adminprincipal}} records.
> Also, the FE should be updated to set permissions using the dynamic role-principals.
> Finally, code should be cleaned up to remove unneeded code in
> * org.apache.ambari.server.security.authorization.ClusterInheritedPermissionHelper
> * org.apache.ambari.server.controller.internal.GroupPrivilegeResourceProvider#getResources
> * org.apache.ambari.server.controller.internal.PrivilegeResourceProvider#toEntity
> * org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider#getResources
> * org.apache.ambari.server.security.authorization.AuthorizationHelper#isAuthorized
> * org.apache.ambari.server.view.ViewRegistry#addClusterInheritedPermissions
> * ...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)